b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                    Improvements Are Needed to Ensure the\n                      Use of Modernization Applications Is\n                              Effectively Audited\n\n\n\n                                      September 29, 2006\n\n                              Reference Number: 2006-20-177\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-927-7037\n Email Address | Bonnie.Heald@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                  DEPARTMENT OF THE TREASURY\n                                                        WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                                September 29, 2006\n\n\n MEMORANDUM FOR CHIEF INFORMATION OFFICER\n                CHIEF, MISSION ASSURANCE AND SECURITY SERVICES\n\n FROM:                          Michael R. Phillips\n                                Deputy Inspector General for Audit\n\n SUBJECT:                       Final Audit Report \xe2\x80\x93 Improvements Are Needed to Ensure the Use of\n                                Modernization Applications Is Effectively Audited\n                                (Audit # 200620003)\n\n This report presents the results of our review to determine whether the Internal Revenue\n Service\xe2\x80\x99s (IRS) modernized systems generate audit logs that are saved and analyzed to detect\n unauthorized accesses to modernization applications.\n\n Impact on the Taxpayer\n Audit trails1 for the IRS\xe2\x80\x99 modernized systems are not being adequately collected, reviewed, or\n retained. Consequently, unauthorized access and theft of taxpayer records may be occurring\n without being detected, possibly resulting in theft of taxpayer identities. In addition, fraudulent\n transactions and intrusions on IRS systems used to administer tax laws could go undetected.\n\n Synopsis\n The IRS has two approaches for collecting audit trails for the computers supporting its Business\n Systems Modernization effort. Audit trails for the Customer Account Data Engine (CADE)2 are\n stored internally. Audit trails for all other modernized systems are stored centrally and reviewed\n in the Security Audit and Analysis System (SAAS). Neither approach is working effectively.\n\n\n\n 1\n     An audit trail is a chronological log of activities on a computer system.\n 2\n     The CADE is the foundation for managing taxpayer accounts in the IRS\xe2\x80\x99 modernization effort.\n\x0c                   Improvements Are Needed to Ensure the Use of Modernization\n                               Applications Is Effectively Audited\n\n\n\nThe IRS is not monitoring audit trails on the CADE. While the CADE currently stores and\nprocesses only a small fraction of all taxpayer returns, its workload is expected to greatly\nincrease in the next few years. This will place added importance on the IRS\xe2\x80\x99 ability to monitor\naccesses to the sensitive taxpayer records stored in the CADE. We believe CADE transactions\nare not reviewed because only a limited number of users have permission to access the system.\nHowever, these users have powerful access privileges, which could enable them to steal taxpayer\ninformation and take action to disrupt computer operations with little chance of detection.\nThe SAAS audit trails of user and system activities on modernized systems are not being\nadequately monitored. User activity audit trails on modernized systems are not being reviewed\nby the IRS business units and the Treasury Inspector General for Tax Administration (TIGTA)\nfor two reasons. First, while audit trail data are being collected by the SAAS, the data are not\naccurate, reliable, and complete. We reviewed over 3 million audit trail records and found\n48 percent of the places for data required by IRS policy were missing data or contained\ninaccurate information. Second, even if the SAAS audit trails were usable, reports and functions\nfor reviewing them are not yet available, making it unlikely SAAS users could identify\ninappropriate activity on modernized systems.\nSystem activity audit trails are not being adequately reviewed by the Computer Security Incident\nResponse Center,3 to identify security-related events. These audit trails have not been delivered\ntimely and have not been completed sufficiently.\nThe underlying reason why audit trails on the SAAS are not adequately reviewed is the\ninadequacy of SAAS system requirements, which are used to identify the System\xe2\x80\x99s features and\ncapabilities. Although the IRS accepted the SAAS in Fiscal Year 2002, the system requirements\nare still inadequate because much of the SAAS development effort to date has been focused on\nreplacement of the Audit Trail Lead Analysis System.4 This replacement has been a TIGTA and\nIRS priority because the System is aging. However, until all SAAS users emphasize the need to\nreview audit trail data on modernized systems, sufficient priority will not be given to the\ndevelopment of SAAS audit trails.\nOur results indicate the problems with the SAAS we reported5 in August 2004 have not been\nadequately addressed, despite claims by the IRS that the SAAS has been functioning. In\nApril 2005, the IRS responded to questions from the Senate Appropriations Committee that the\n\xe2\x80\x9cSAAS is effectively managing audit trail data for modernization systems.\xe2\x80\x9d We again reported6\n\n\n3\n  This Center was designed to ensure the IRS has a team of capable \xe2\x80\x9cfirst responders\xe2\x80\x9d who are organized, trained,\nand equipped to identify, contain, and eradicate cyber threats targeting IRS computers and data.\n4\n  This is an IRS system that aids the TIGTA in researching unauthorized access of taxpayer data by IRS employees.\n5\n  The Audit Trail System for Detecting Improper Activities on Modernized Systems Is Not Functioning (Reference\nNumber 2004-20-135, dated August 2004).\n6\n  Security Controls Were Not Adequately Considered in the Development and Integration Phases of Modernized\nSystems (Reference Number 2005-20-128, dated August 2005).\n                                                                                                                2\n\x0c                Improvements Are Needed to Ensure the Use of Modernization\n                            Applications Is Effectively Audited\n\n\n\nproblems with the SAAS in August 2005. In its response to that report, the IRS disagreed with\nour conclusion that audit trails for IRS modernized systems were not functioning. IRS\nmanagement explained the SAAS receives and processes audit trail transactions daily from\nseveral modernization applications and the data could be accessed through queries or reports.\n\nRecommendations\nWe recommended the Chief, Mission Assurance and Security Services (MA&SS), establish a\nreview process for CADE audit trails and ensure they are retained. For the SAAS, the Chief\nInformation Officer should modify modernized system audit trails to comply with SAAS\nstandards and capture information needed by user organizations. In addition, the Chief,\nMA&SS, should reassess the user and system requirements for the SAAS, including the control\nweaknesses identified in this report, and ensure the requirements are assigned a completion date.\nOnce this is complete, SAAS procedures and processes should be reevaluated to ensure the new\nSAAS requirements are incorporated.\n\nResponse\nThe IRS agreed with our findings and recommendations. The MA&SS organization will\nestablish an enterprise process for reviewing the audit trails of all IRS legacy (current) and\nmodernized applications and systems, including CADE audit trails. In addition, it will establish,\nin conjunction with the Chief Information Officer, a viable retention policy for CADE audit trails\nthat is consistent with established IRS policies. For the SAAS, the MA&SS organization will\nreassess the requirements for SAAS audit trails, including identifying all user requirements and\nthe resulting SAAS system requirements needed to achieve them. The IRS will provide a Project\nPlan that includes development of change requests for modification of modernized applications\nto provide audit trail data to, and in the correct format for, the SAAS based on the reassessed\nSAAS requirements. The Plan will include expected implementation dates for each\nmodernization application and will be based on funding and resource availability. Once SAAS\nrequirements are reassessed, the MA&SS organization will establish procedures to ensure audit\ntrails are properly reviewed and will assign staff to monitor failed audit trail records.\nManagement\xe2\x80\x99s complete response to the draft report is included as Appendix V.\n\nOffice of Audit Comment\nThe IRS provided an implementation date of October 2008 for its corrective action addressing\nour recommendation to modify modernized system audit trails to comply with SAAS standards\nand capture information needed by user organizations. We recognize the difficult task the IRS\nfaces in modifying modernized system audit trails to provide usable information, given their\ncurrent state. However, this implementation date will leave the IRS without usable audit trails\n\n                                                                                                  3\n\x0c                Improvements Are Needed to Ensure the Use of Modernization\n                            Applications Is Effectively Audited\n\n\n\nfor more than 2 years. With this response, the IRS is accepting the risk that unauthorized access\nto taxpayer information on modernized systems may occur and not be detected.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at\n(202) 622-8510.\n\n\n\n\n                                                                                                    4\n\x0c                       Improvements Are Needed to Ensure the Use of Modernization\n                                   Applications Is Effectively Audited\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 4\n          Customer Account Data Engine Audit Trails Are Not\n          Being Adequately Monitored........................................................................Page 4\n                    Recommendations 1 and 2: ..............................................Page 5\n\n          Security Audit and Analysis System Audit Trails Are Not\n          Being Adequately Monitored........................................................................Page 6\n                    Recommendation 3:........................................................Page 10\n\n                    Recommendations 4 and 5: ..............................................Page 11\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 13\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 15\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 16\n          Appendix IV \xe2\x80\x93 Additional Information on the Security Audit and\n          Analysis System Audit Trail.........................................................................Page 17\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report .......................Page 21\n\x0c        Improvements Are Needed to Ensure the Use of Modernization\n                    Applications Is Effectively Audited\n\n\n\n\n                       Abbreviations\n\nCADE               Customer Account Data Engine\nCSIRC              Computer Security Incident Response Center\nIDRS               Integrated Data Retrieval System\nI-EIN              Internet Employer Identification Number\nIFS                Integrated Financial System\nIRFOF              Internet Refund/Fact of Filing\nIRS                Internal Revenue Service\nMA&SS              Mission Assurance and Security Services\nMeF                Modernized e-File\nSAAS               Security Audit and Analysis System\nTIGTA              Treasury Inspector General for Tax Administration\nUNAX               Unauthorized accesses and inspections of taxpayer records\n\x0c                   Improvements Are Needed to Ensure the Use of Modernization\n                               Applications Is Effectively Audited\n\n\n\n\n                                           Background\n\nInternal Revenue Service (IRS) procedures state that each of the IRS\xe2\x80\x99 computer systems is\nrequired to collect and maintain adequate audit trail information and that this information is to be\ntimely reviewed. An audit trail is defined as a chronological\nrecord of system activities that allows for the reconstruction,    An audit trail is a chronological\nreview, and examination of a transaction from inception to         record of system activities that\nfinal results. Audit trails can also be used to diagnose            allows for the reconstruction,\ncomputer problems because they capture all user and system          review, and examination of a\nactivities associated with a transaction and provide                         transaction.\ndocumentation that identifies what has been done.\nThe National Institute of Standards and Technology1 states that audit trails can provide a means\nto help accomplish several security-related objectives, including:\n    \xe2\x80\xa2   Individual accountability \xe2\x80\x93 Enables managers to identify and provide information about\n        users suspected of improper modification of data (e.g., introducing errors into a\n        database).\n    \xe2\x80\xa2   Reconstruction of events \xe2\x80\x93 Assesses damage to a system by pinpointing how, when, and\n        why normal operations ceased.\n    \xe2\x80\xa2   Intrusion detection \xe2\x80\x93 Identifies attempts to penetrate a system and gain unauthorized\n        access.\n    \xe2\x80\xa2   Problem analysis \xe2\x80\x93 Provides online tools to help identify problems other than intrusions\n        as they occur.2\nFor the IRS, audit trails on modernized systems are also needed to detect unauthorized access\nattempts, successful accesses of its most critical information, and attacks on its systems. In\nparticular, audit trails are used to identify willful unauthorized accesses and inspections of\ntaxpayer records (UNAX). Identifying UNAX violations became more important with the\npassage of the Taxpayer Browsing Protection Act of 1997,3 which states the willful unauthorized\naccess or inspection of taxpayer records is a crime punishable upon conviction by fines, prison\nterms, and termination of employment.\n\n1\n  The National Institute of Standards and Technology, under the Department of Commerce, is responsible for\ndeveloping standards and guidelines, including minimum requirements, for providing adequate information security\nfor all Federal Government agency operations and assets.\n2\n  The National Institute of Standards and Technology Information Technology Laboratory Computer Security\nBulletin published in March 1997.\n3\n  26 U.S.C.A. \xc2\xa7\xc2\xa7 7213, 7213A, 7431 (West Supp. 2003).\n                                                                                                         Page 1\n\x0c                    Improvements Are Needed to Ensure the Use of Modernization\n                                Applications Is Effectively Audited\n\n\n\nIn addition to identifying UNAX violations, audit trails can be used to identify whether IRS\nfinancial information and transactions have been compromised. Such compromise could result\nin corruption of financial data and limit the IRS\xe2\x80\x99 ability to conduct business. Compromise of\nfinancial information could also result in fraudulent transactions, such as unauthorized payments.\nHowever, none of these events can be detected if audit trails have not been designed to capture\nkey information and are not retained for a sufficient period of time. Also, management must\nhave a formal process for reviewing audit trail reports to effectively respond to system events.\nThe IRS has two approaches for collecting audit trails for the computers supporting its Business\nSystems Modernization effort. For the Customer Account Data Engine (CADE), audit trails are\nstored internally in the system\xe2\x80\x99s database. The CADE is the foundation for managing taxpayer\naccounts in the IRS\xe2\x80\x99 Business Systems Modernization effort and will eventually house taxpayer\naccounts and tax return data for more than 135 million individual and business taxpayers. The\nCADE will incrementally replace the existing IRS Master File.4 The current release of the\nCADE processes selected data for over 1.4 million single filers with no dependents who filed an\nIncome Tax Return for Single Filers and Joint Filers With No Dependents (Form 1040EZ) in\nCalendar Year 2005.\nAudit trails for all other modernized systems are centralized in the Security Audit and Analysis\nSystem (SAAS). See Appendix IV for a list of these systems. The SAAS was initially built by\nthe IRS\xe2\x80\x99 PRIME contractor as part of the Business Systems Modernization effort and was\naccepted by the IRS in 2002. The SAAS is designed to gather user and system audit trail\ninformation from these systems and store this information in a central database that should be\naccessed and used by the following customers:\n    \xe2\x80\xa2   Managers from the IRS business units, who should review user audit trails for\n        questionable activities of their employees on IRS modernized systems, by reviewing the\n        transactions from those systems. Potential UNAX violations and fraudulent transactions\n        are forwarded to the Treasury Inspector General for Tax Administration (TIGTA) for\n        investigation.\n    \xe2\x80\xa2   TIGTA investigators, who are responsible for detecting and investigating UNAX\n        violations in accordance with the Taxpayer Browsing Protection Act of 1997. The\n        TIGTA uses various techniques to analyze audit trail data to identify potential UNAX\n        violations.\n    \xe2\x80\xa2   The Computer Security Incident Response Center (CSIRC)5, which should review system\n        audit trail data generated by operating systems, databases, and applications of\n\n4\n  The IRS database that stores various types of taxpayer account information. This database includes individual,\nbusiness, and employee plans and exempt organizations data.\n5\n  The CSIRC was designed to ensure the IRS has a team of capable \xe2\x80\x9cfirst responders\xe2\x80\x9d who are organized, trained,\nand equipped to identify, contain, and eradicate cyber threats targeting IRS computers and data.\n                                                                                                           Page 2\n\x0c                   Improvements Are Needed to Ensure the Use of Modernization\n                               Applications Is Effectively Audited\n\n\n\n        modernized systems to detect and respond to computer security incidents targeting the\n        IRS\xe2\x80\x99 enterprise information technology assets.\nThis review was performed in the Mission Assurance and Security Services (MA&SS)\norganization and the Modernization and Information Technology Services organization, at the\nEnterprise Computing Center \xe2\x80\x93 Martinsburg,6 in Kearneysville, West Virginia, and in the\nMA&SS organization in Lanham, Maryland, during the period October 2005 through\nMarch 2006. The audit was conducted in accordance with Government Auditing Standards.\nDetailed information on our audit objective, scope, and methodology is presented in Appendix I.\nMajor contributors to the report are listed in Appendix II.\n\n\n\n\n6\n  IRS Computing Centers support tax processing and information management through a data processing and\ntelecommunications infrastructure.\n                                                                                                      Page 3\n\x0c                 Improvements Are Needed to Ensure the Use of Modernization\n                             Applications Is Effectively Audited\n\n\n\n\n                                 Results of Review\n\nThe IRS is not adequately collecting, reviewing, or retaining audit trail data from its modernized\nsystems. Without adequate processes in these areas, unauthorized accesses or security intrusions\ncould be occurring without being detected.\n\nCustomer Account Data Engine Audit Trails Are Not Being Adequately\nMonitored\nThe IRS is properly monitoring audit trails to identify attempts by unauthorized persons to access\nthe CADE, and any security violations noted are sent to appropriate management officials for\nreview and certification. However, once a user is authorized to access the CADE, his or her\nactions are not monitored. The lack of monitoring provides no assurance that an authorized user\nis accessing CADE data for official business purposes only.\nWhile the CADE currently stores and processes only a small fraction of all taxpayer returns, its\nworkload is expected to greatly increase in the next few years, as shown in Table 1. This growth\nplaces added importance on the IRS\xe2\x80\x99 ability to monitor accesses to the sensitive taxpayer records\nstored in the CADE. If the IRS cannot review audit trail information for the current volume of\nreturns, its ability to adequately and effectively review audit trails will diminish when the\nvolume increases in future years.\n       Table 1: Estimated Number of Returns to Be Processed by the CADE\n              Year       Estimated Number of         Year       Estimated Number of\n                               Returns                                Returns\n              2005         1,423,417 (Actual)       2009              70 million\n              2006              4 million           2010              90 million\n              2007             33 million           2011             100 million\n              2008             50 million          2012               135 million\n             Source: Customer Relationship Management Executive Steering Committee, approved\n             October 18, 2005.\n\nThe IRS has not emphasized the need to monitor audit trails on the CADE because it is updated\nprimarily through input of data from other IRS systems. Consequently, only a limited number of\nusers have direct access to the CADE application. The CADE is currently accessible by only\n39 persons including IRS computer personnel, contractors, and TIGTA personnel. However,\nthese users have powerful access privileges that could enable them to steal taxpayer information\nwith little chance of detection. By not reviewing user transactions in the CADE\xe2\x80\x99s audit trails, the\nIRS cannot be assured that security violations are not occurring.\n                                                                                               Page 4\n\x0c                  Improvements Are Needed to Ensure the Use of Modernization\n                              Applications Is Effectively Audited\n\n\n\nAlso, CADE audit trails are not being sufficiently retained. Currently, audit trails are retained\nfor 30 calendar days, a retention period based on available storage space. In comparison, SAAS\naudit trail data are required to be retained for 6 years.\nWe previously identified the CADE audit trail review and retention issues in our August 2005\nreport,7 but at that time, CADE audit trails were retained for only 1 to 2 calendar days and were\nnot being reviewed. We recommended CADE audit trail data be retained and reviewed to detect\nunauthorized accesses. The IRS disagreed with this recommendation, stating that log and audit\nfiles used by CADE system programmers are established for recovery and diagnostic purposes\nand do not capture data related to unauthorized access. In response, we commented that we\ncontinue to believe audit trail information for the CADE should be retained and reviewed. The\nCADE contains tax information for over 1.4 million returns that could be accessed by some IRS\nemployees for unauthorized purposes, potentially resulting in identity thefts. Therefore, audit\ntrail information must be maintained to comply with Department of the Treasury requirements.\n\nRecommendations\nRecommendation 1: To ensure CADE audit trails are reviewed, the Chief, MA&SS, should\nestablish a review process for CADE audit trails. Such a process will aid in current reviews and\nposition the IRS to perform future reviews when the amount of taxpayer information residing in\nthe CADE is significantly larger.\n        Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n        MA&SS organization will establish an enterprise process for reviewing the audit trails of\n        all IRS legacy (current) and modernized applications and systems, including CADE audit\n        trails.\nRecommendation 2: To ensure CADE audit trails are sufficiently retained, the Chief,\nMA&SS, and the Chief Information Officer should establish a viable retention policy for CADE\naudit trails, mirroring, where possible, that of other systems with taxpayer information.\n        Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n        MA&SS organization, in conjunction with the Chief Information Officer, will establish a\n        viable retention policy for CADE audit trails that is consistent with established IRS\n        policies governing records management and retention standards for systems with\n        taxpayer information.\n\n\n\n\n7\n Security Controls Were Not Adequately Considered in the Development and Integration Phases of Modernized\nSystems (Reference Number 2005-20-128, dated August 2005).\n                                                                                                     Page 5\n\x0c                   Improvements Are Needed to Ensure the Use of Modernization\n                               Applications Is Effectively Audited\n\n\n\nSecurity Audit and Analysis System Audit Trails Are Not Being\nAdequately Monitored\nThe three primary users of the SAAS (the IRS business units, TIGTA, and CSIRC) are\nperforming either no reviews or limited reviews of user and system activity on modernized\nsystems, as recorded in the systems\xe2\x80\x99 audit trails. As a result, possible UNAX violations, other\ninappropriate accesses, or security intrusions may be occurring without being identified.\nAn underlying reason for the lack of reviews is inadequate requirements for the SAAS, which are\nused to identify features and capabilities for the System. SAAS requirements have not been\nadequately identified because much of the SAAS development effort to date has been focused on\nreplacement of the Audit Trail Lead Analysis System, which is currently used by the TIGTA to\nidentify potential UNAX violations on the Integrated Data Retrieval System (IDRS).8 The\nreplacement of the Audit Trail Lead Analysis System has been a TIGTA and IRS priority\nbecause the System is aging. Until all SAAS users emphasize the need to review modernized\nsystem audit trails, sufficient priority will not be given to the development of SAAS audit trails.\nOur results indicate the problems with the SAAS we reported9 in August 2004 have not been\nadequately addressed despite claims by the IRS that the SAAS has been functioning. In\nApril 2005, the IRS responded to questions from the Senate Appropriations Committee that the\n\xe2\x80\x9cSAAS is effectively managing audit trail data for modernization systems.\xe2\x80\x9d In August 2005, we\nagain reported10 problems with the SAAS. In their response to that report, IRS management\ndisagreed with our conclusion that audit trails for IRS modernized systems were not functioning.\nIRS management explained the SAAS receives and processes audit trail transactions daily from\nseveral modernization applications and the data could be accessed through queries or reports.\n\nIRS business units and the TIGTA are not reviewing user activity on modernized\nsystems\nThe IRS business units and the TIGTA are not reviewing SAAS user audit trails, which\ndocument a user\xe2\x80\x99s actions on modernized systems. Specifically:\n    \xe2\x80\xa2   IRS business unit managers are not reviewing employee transactions on modernized\n        systems through the SAAS. The MA&SS organization is currently reviewing user\n        activity for one application to identify employees\xe2\x80\x99 accesses to their own and other\n        employees\xe2\x80\x99 information. The MA&SS organization is planning to train business unit\n\n\n8\n  The IDRS is the IRS computer system capable of retrieving or updating stored information; it works in conjunction\nwith a taxpayer\xe2\x80\x99s account records.\n9\n  The Audit Trail System for Detecting Improper Activities on Modernized Systems Is Not Functioning (Reference\nNumber 2004-20-135, dated August 2004).\n10\n   Security Controls Were Not Adequately Considered in the Development and Integration Phases of Modernized\nSystems (Reference Number 2005-20-128, dated August 2005).\n                                                                                                           Page 6\n\x0c                       Improvements Are Needed to Ensure the Use of Modernization\n                                   Applications Is Effectively Audited\n\n\n\n            employees to conduct these reviews using the SAAS and eventually to transition these\n            reviews to all IRS functions. However, no timetable for the transition has been\n            established. Transactions by employees on the other systems, as well as those initiated\n            by users accessing systems through the IRS.gov web site, are not being reviewed.\n       \xe2\x80\xa2    The TIGTA is unable to review modernized systems for possible UNAX violations.\n            Currently, the TIGTA only reviews IDRS audit trails to identify UNAX violations, using\n            the Audit Trail Lead Analysis System.\nAt present, the only audit trails available for IRS business unit managers and the TIGTA to\nreview are those for IRS employee transactions. In October 2005, the IRS ceased adding\ntransactions by nonemployees to the SAAS, such as those for tax filers and users of the IRS.gov\nweb site, to address an immediate problem of insufficient data storage and to improve the\nperformance of the System. These transactions are now stored in separate files in the SAAS.\nMA&SS organization personnel informed us this was justified because the TIGTA and IRS\nbusiness units had not provided any requirements to review these data. In addition, these\ntransactions can be made available to the business units and the TIGTA once requirements are\nidentified to review the transactions.\nReviews of user activity are not occurring because a large amount of audit trail data in the SAAS\nis not usable. In addition, reporting features that would aid users in reviewing these data are not\nadequate.\nUser activity data are not reliable, complete, and accurate\nThe audit trails collected by the SAAS do not comply with the IRS\xe2\x80\x99 audit trail requirements. The\ndata collected have significant integrity issues, rendering much of the data unreliable, inaccurate,\nincomplete, and, therefore, unusable. For a record in an audit trail to be useful, certain data must\nbe complete and valid. These data include who initiated the transaction, when the transaction\noccurred, where it occurred, and whether the transaction succeeded or failed.\nWe reviewed over 3 million SAAS audit trail records of modernized systems for November 2005\nand identified over 24 million possible entries11 for data required by IRS policies. Of these, we\ndetermined that 48 percent were missing data or contained inaccurate information. In particular,\nwe found blank entries, incomplete entries with partial numbers or text, and unexpected data\nsuch as numbers where text is expected. In addition to the required entries, the SAAS audit trail\ncan store descriptive information about a transaction, which is useful in the search for UNAX\nviolations. We determined that, while the SAAS audit trail record has 15 places for these\ndescriptive entries, only 1 of the available places contained useful information. In addition to\ninadequate data entries, we identified over 80,200 potentially missing audit trail records and over\n3,400 corrupted audit trail records. Appendix IV presents additional details on this issue.\n\n\n11\n     Each audit trail record has eight entries, or places, for data required by IRS policies.\n                                                                                                Page 7\n\x0c                   Improvements Are Needed to Ensure the Use of Modernization\n                               Applications Is Effectively Audited\n\n\n\nDue to these data integrity issues, the MA&SS organization has not engaged IRS business units\nto review employee activity on modernized systems. The data integrity issues are a result of\ninaccurate and incomplete data being sent to the SAAS by modernized systems and insufficient\ncontrols in place to ensure the audit trail data brought into the SAAS are complete and valid.\nModernized systems send audit trail data to the SAAS, which then processes and tests the data\nfor existence of selected information. However, the following problems with this process exist:\n     \xe2\x80\xa2   Invalid, inconsistent, or incorrectly formatted data are sent from modernized systems.\n         Many of the data integrity issues we identified can be attributed to specific modernized\n         systems. In addition, IRS personnel informed us some modernization application\n         projects did not adequately test the audit trail output their applications produced to verify\n         that the applications were correctly generating audit trail records that met IRS\n         requirements.\n     \xe2\x80\xa2   No tests are conducted to ensure audit trail entries are appropriate and accounted for. The\n         SAAS currently tests incoming audit records to ensure six types of data, such as\n         username and taxpayer identifier, exist in an audit trail record and the fields are not\n         blank. However, there are no SAAS requirements to test the appropriateness of audit trail\n         entries or to ensure all audit records are accounted for.\n     \xe2\x80\xa2   Failed integrity test records are not reviewed. Failed integrity test results are not\n         recorded in the SAAS audit trail; instead, they are recorded in a Failed Audit table. For\n         November 2005, over 620,000 records failed SAAS validity tests. This represents\n         16 percent of all audit trail records sent to the SAAS for November 2005. Based on our\n         discussions with IRS security personnel, the Failed Audit table is not reviewed.\n         Currently, there are no SAAS requirements to provide users with features to review failed\n         audit records.\nDuring our audit, the MA&SS organization submitted a change request for the modernized\nsystem audit trails to be revised to properly recognize user actions as well as comply with\nstandard formats and content. The primary focus of the request was to address inconsistencies in\nhow modernized systems record transaction events and the payload, or transaction content,\nportion of the audit trail record. These changes were requested to be completed by June 2006.\nIn August 2005, we reported12 the IRS did not adequately consider security controls in the\ndevelopment phase of modernized systems. Several inadequate security controls were identified,\nmany of which could have been addressed in the development phase of the systems. Given the\nlack of robust integrity tests and the inadequacy of audit trail data being sent to the SAAS, it is\napparent sufficient emphasis was not placed on audit trails during the development and in\ncertification testing of modernized systems.\n\n\n12\n  Security Controls Were Not Adequately Considered in the Development and Integration Phases of Modernized\nSystems (Reference Number 2005-20-128, dated August 2005).\n                                                                                                      Page 8\n\x0c                   Improvements Are Needed to Ensure the Use of Modernization\n                               Applications Is Effectively Audited\n\n\n\nReport features are not adequate for the business units and the TIGTA\nEven if the modernized audit trails were reliable, it is unlikely that users of the SAAS would be\nable to review them because SAAS features needed to review these data are not yet available.\nThe SAAS is designed to be both the replacement for the Audit Trail Lead Analysis System and\nthe central repository for modernized IRS systems\xe2\x80\x99 audit trails. The SAAS is intended to enable\nIRS business unit, TIGTA, and CSIRC users to generate reports and search audit trail records to\ndetect unauthorized activities and security intrusions on modernized systems. In addition, IRS\nmanagers will be able to certify they have reviewed modernized audit trail reports for their\nemployees, to identify accesses and violations. These reports and functions are specified in the\nSAAS requirements used to develop the System. Similar features are also available on the IDRS\nOn-Line Reports Services application, which aids IRS managers in identifying UNAX and other\nviolations on the IDRS.\nHowever, SAAS reports and certification features have not yet been implemented. Currently,\nusers can search audit trail records only through user-created queries. While report features are\nincluded in the current System requirements, they have not been implemented and do not have\ncompletion dates assigned. This occurred in part because IRS business units have historically\nplaced little emphasis on reviewing audit trail data. For example, a recent TIGTA report13 found\nthat business unit managers were not reviewing audit trail data to detect inappropriate activity of\ntheir employees on the IDRS.\n\nThe CSIRC does not have sufficient data with which to identify intrusions on\nmodernized systems\nWe also determined the CSIRC is performing limited reviews of system audit trails to identify\nsecurity intrusions on modernized systems. System audit trails document the system activities,\nincluding those taken during an attack or intrusion into the system. The CSIRC is performing\nsome reviews of modernized system audit trails. However, these reviews are limited because\naudit trail files needed by the CSIRC are not being sent or sent timely to the SAAS. Procedures\nrequire that these files be sent daily from all modernized systems, excluding mainframe\ncomputers, to a central server (the Log File Collector) for forwarding to the SAAS. In addition,\nthe files sent are not required to be retained for a sufficient period of time. These deficiencies\nare a result of insufficient SAAS requirements. Specifically:\n     \xe2\x80\xa2   Files are not being sent timely. While audit trail files from Microsoft Windows-based\n         modernized system servers generally are sent as required, files from servers running the\n         Sun Solaris operating system are not. Of the 26 Solaris-based modernized system\n         servers, 5 sent their files daily, 18 sent their files weekly, and 3 did not send their files at\n         all. While SAAS system requirements include creation of reports to identify systems that\n\n13\n Increased Managerial Attention Is Needed to Ensure Taxpayer Accounts Are Monitored to Detect Unauthorized\nEmployee Accesses (Reference Number 2006-20-111, dated July 2006).\n                                                                                                    Page 9\n\x0c                  Improvements Are Needed to Ensure the Use of Modernization\n                              Applications Is Effectively Audited\n\n\n\n        failed to send data as required, this functionality has not been implemented and no\n        completion dates have been assigned.\n    \xe2\x80\xa2   Consolidated audit trail files are not sent. For Solaris-based computers, two sets of audit\n        trail files can be created. One set contains eight individual files that record different\n        system events. The other set records all events in one consolidated file and can\n        potentially record more system event information. While CSIRC users would like to\n        review information contained in the consolidated audit trail files, these audit trails are not\n        forwarded from the Log File Collector to the SAAS for inclusion in the SAAS audit trail.\n        We reviewed the Log File Collector on December 5, 2005, and identified approximately\n        214 gigabytes of consolidated audit trails covering a 2-week period. These files are not\n        sent to the SAAS because CSIRC personnel and SAAS contractors are not considered\n        security personnel by the IRS and, therefore, are not permitted access to the necessary\n        command to convert the files to a format readable by the SAAS. In addition, SAAS\n        requirements do not specify that the consolidated audit trail files need to be available for\n        inclusion in the SAAS.\n    \xe2\x80\xa2   Audit trail files are not sufficiently retained. After audit trail files sent from modernized\n        systems are received by the SAAS, they are kept for 1 year. Because only selected data\n        from these files are incorporated into the SAAS, it is important for the IRS to retain the\n        files in the event additional research on system activity needs to be performed. The\n        CSIRC requires the SAAS to retain data sent from modernization systems for 6 years, but\n        the requirement does not specify what type of data should be retained. The requirements\n        used to develop the SAAS include only the data stored in the SAAS and not the audit trail\n        files providing the data. During our review, the IRS established an informal policy to\n        store audit trail files for 6 years, but no documentation formalizing this policy was\n        available.\n\nRecommendations\nTo ensure the SAAS can better meet the needs of its customers and audit trail data reported are\nreliable, accurate, and complete, the Chief, MA&SS, should:\nRecommendation 3: Reassess the requirements for SAAS audit trails, including identifying\nall user requirements and the resulting SAAS system requirements needed to achieve them.\nOnce the reassessment is complete, requirements should be assigned completion dates. The\nreassessment process must include the following requirements:\n\xe2\x80\xa2   Additional validity tests to ensure audit trail data received are reliable and accurate.\n\xe2\x80\xa2   Controls to ensure all audit trail records are uniquely identifiable, and completeness tests to\n    ensure all audit records are accounted for.\n\xe2\x80\xa2   Reports and queries to aid in the analysis of audit trail records that failed validity tests.\n                                                                                                Page 10\n\x0c                 Improvements Are Needed to Ensure the Use of Modernization\n                             Applications Is Effectively Audited\n\n\n\n\xe2\x80\xa2   Functionality for review and certification of employee access to taxpayer information, similar\n    to the functions available through the IDRS On-Line Reports Services application.\n\xe2\x80\xa2   Consolidated Solaris audit files that are available for inclusion in the SAAS audit trail. To do\n    this, technical issues preventing these files from being incorporated into the SAAS need to be\n    resolved. Until the issues are resolved, these files should be retained.\n\xe2\x80\xa2   Retention period for source audit trail files sent from modernized systems to ensure files are\n    kept for a necessary length of time.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       MA&SS organization will reassess the requirements for SAAS audit trails, including\n       identifying all user requirements and the resulting SAAS system requirements needed to\n       achieve them.\nTo ensure modernized systems send reliable, accurate, and complete audit trail information to the\nSAAS, the Chief Information Officer should:\nRecommendation 4: Modify modernized system audit trails to comply with SAAS standards,\nensuring data collected are valid and arranged in the proper format. This process should include\nthe solicitation of input from user organizations, such as the IRS business units, TIGTA, and\nCSIRC, to identify their audit trail data needs.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       IRS will provide a Project Plan that includes development of change requests for\n       modification of modernization applications to provide audit trail data to, and in the\n       correct format for, the SAAS based on requirements identified in the corrective action for\n       Recommendation 3. The Plan will include expected implementation dates for each\n       modernization application and will be based on funding and resource availability. The\n       IRS plans to make incremental changes as requirements are developed.\n       Office of Audit Comment: The IRS provided an implementation date of\n       October 2008 for its corrective action to this recommendation. We recognize the difficult\n       task the IRS faces in modifying modernized system audit trails to provide usable\n       information, given their current state. However, this implementation date will leave the\n       IRS without usable audit trails for more than 2 years. With this response, the IRS is\n       accepting the risk that unauthorized access to taxpayer information on modernized\n       systems may occur and not be detected.\nTo ensure new SAAS requirements are included in IRS procedures, the Chief, MA&SS, should:\nRecommendation 5: After completion of the requirements reassessment, reevaluate SAAS\nprocedures and processes to ensure the new SAAS requirements are incorporated and\nresponsibilities for reviewing modernization audit trails are adequately defined. These\n\n\n                                                                                           Page 11\n\x0c                 Improvements Are Needed to Ensure the Use of Modernization\n                             Applications Is Effectively Audited\n\n\n\nprocedures should include reviews for audit trail records that failed validity tests and transactions\nby tax filers and registered users.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation.\n       Once SAAS requirements are reassessed, the MA&SS organization will establish\n       procedures to ensure audit trails are properly reviewed and assign staff to monitor failed\n       audit trail records.\n\n\n\n\n                                                                                             Page 12\n\x0c                Improvements Are Needed to Ensure the Use of Modernization\n                            Applications Is Effectively Audited\n\n\n\n                                                                                    Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS\xe2\x80\x99 modernized systems\ngenerate audit logs that are saved and analyzed to detect unauthorized accesses to modernization\napplications. To accomplish this objective, we:\nI.     Determined whether adequate information was being captured in modernization\n       application audit trails.\n       A. Reviewed policies and procedures specifying system information required to be\n          captured for audit trail purposes.\n       B. Identified the modernization application audit trails that were processed through the\n          SAAS.\n       C. Determined whether modernization applications were generating required audit trail\n          records by obtaining from the SAAS an extract of audit trail records for\n          November 2005, which totaled over 3.6 million records, and reviewing audit trail\n          settings for the CADE. Our analysis of these records identified that 48 percent of the\n          required entries were not usable. We also determined that the CADE audit trail\n          settings were appropriate.\n       D. Assessed the impact of missing audit trail elements on the IRS\xe2\x80\x99 ability to detect,\n          identify, and substantiate unauthorized accesses of modernization applications.\n       E. Determined why modernization application audit trails do not capture required data\n          elements.\nII.    Determined whether audit trails were being retained for required time periods.\n       A. Reviewed policies and procedures regarding audit trails to identify storage\n          requirements for audit trail data, including required retention periods.\n       B. Determined whether modernization applications were retaining audit trail records for\n          required time periods by analyzing audit trail settings and interviewing SAAS and\n          CADE system and database administrators.\n       C. Assessed the impact of absent audit trail records on the IRS\xe2\x80\x99 ability to detect, identify,\n          and substantiate unauthorized accesses of modernization applications.\n       D. Determined why modernization application audit trails are not retained for required\n          time periods.\n\n\n                                                                                           Page 13\n\x0c                Improvements Are Needed to Ensure the Use of Modernization\n                            Applications Is Effectively Audited\n\n\n\nIII.   Determined whether audit trails were being analyzed to detect unauthorized access and\n       other violations.\n       A. Reviewed policies and procedures regarding audit trails to identify monitoring and\n          reporting requirements for audit trail data.\n       B. Determined whether user activity on modernization applications was being\n          adequately monitored by reviewing current reports generated from the SAAS.\n       C. Assessed the impact of inadequate monitoring of audit trails on the IRS\xe2\x80\x99 ability to\n          detect, identify, and substantiate unauthorized accesses of modernization applications.\n       D. Determined why modernization application audit trail monitoring was not occurring.\n          This step included analysis of computer records from SAAS servers for\n          November and December 2005 to determine whether audit trail files were being sent\n          timely to the SAAS. This step included reviewing the records for all modernized\n          systems sending data to the SAAS, in particular those running the Microsoft\n          Windows or Sun Solaris operating systems. Our analysis identified that Microsoft\n          Windows-based modernized system servers generally sent data as required.\n          However, of the 26 Solaris-based modernized system servers, 5 sent their files daily,\n          18 sent their files weekly, and 3 did not send their files at all.\n\n\n\n\n                                                                                         Page 14\n\x0c                Improvements Are Needed to Ensure the Use of Modernization\n                            Applications Is Effectively Audited\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nStephen Mullins, Director\nKent Sagara, Acting Director\nGerald Horn, Audit Manager\nMarybeth Schumann, Audit Manager\nMichael Howard, Lead Auditor\nDavid Brown, Senior Auditor\nMyron Gulley, Senior Auditor\n\n\n\n\n                                                                                     Page 15\n\x0c               Improvements Are Needed to Ensure the Use of Modernization\n                           Applications Is Effectively Audited\n\n\n\n                                                                       Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Chief Information Officer OS:CIO\nDeputy Chief, Mission Assurance and Security Services OS:MA\nAssociate Chief Information Officer, Enterprise Operations OS:CIO:EO\nAssociate Chief Information Officer, Enterprise Services OS:CIO:ES\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Deputy Commissioner for Operations Support OS\n       Chief, Mission Assurance and Security Services OS:MA\n       Director, Program Oversight Office OS:CIO:SM:PO\n\n\n\n\n                                                                             Page 16\n\x0c                Improvements Are Needed to Ensure the Use of Modernization\n                            Applications Is Effectively Audited\n\n\n\n                                                                                 Appendix IV\n\n    Additional Information on the Security Audit and\n              Analysis System Audit Trail\n\nThis appendix provides additional information on audit trail integrity issues for specific\nmodernization applications. The SAAS collects audit trail information from most modernization\napplications, including:\n   \xe2\x80\xa2   Modernized e-File (MeF): The MeF system modernizes the IRS\xe2\x80\x99 existing electronic\n       filing system and provides an Internet-based electronic filing application that taxpayers\n       can use to file IRS forms.\n   \xe2\x80\xa2   e-Services: The e-Services system provides several third-party tools and data collection\n       processes to enhance taxpayer interaction with the IRS.\n   \xe2\x80\xa2   Integrated Financial System (IFS): The IFS is the new IRS financial and cost accounting\n       system.\n   \xe2\x80\xa2   Internet Refund/Fact of Filing (IRFOF): The IRFOF system, also known as \xe2\x80\x9cWhere\xe2\x80\x99s\n       My Refund\xe2\x80\x9d on the IRS.gov web site, allows IRS customers to retrieve their refund status\n       as well as fact of filing information.\n   \xe2\x80\xa2   Internet Employer Identification Number (I-EIN): The I-EIN system allows the general\n       public to apply for an Employer Identification Number over the Internet and receive the\n       number at the same time.\nThe data presented are based on reviewed SAAS data from November 2005, specifically from\nthe SAAS audit trail table (MODTRANS) and two additional SAAS audit trail files for users\nregistered through the IRS.gov web site (REGUSER) and tax filers (TAXFIL). We identified\nissues with required and descriptive audit trail records as well as missing audit records.\n\nRequired audit trail entries\nWe reviewed over 3 million SAAS audit trail records of modernized systems for November 2005\nand determined 48 percent of the data entries required by IRS policy contained missing or\ninaccurate information. For each modernization application we reviewed, Table 1 lists the audit\ntrail requirements specified in the Internal Revenue Manual and the percentage of the entries in\nthe SAAS fields meeting these requirements that were unusable.\n\n\n\n\n                                                                                          Page 17\n\x0c                         Improvements Are Needed to Ensure the Use of Modernization\n                                     Applications Is Effectively Audited\n\n\n\n      Table 1: Percentage of Unusable Required Entries in the SAAS Audit Trail\n                                                                                                                     SAAS\n  Audit Trail Requirement          Field Name    MeF       e-Services         IFS        IRFOF     I-EIN    Other\n                                                                                                                     Totals\n\n Date and time of the event       TIMESTAMP     0.0%         0.5%             0.0%        0.0%     0.0%     0.0%     0.3%\n The unique identifier\n                                  USERID        0.0%         8.4%             0.0%      100.0%    100.0%    0.0%     28.0%\n initiating an action\n Type of event                    EVENTID       7.0%         48.0%            0.0%      100.0%     0.0%     0.0%     46.6%\n Origin of the request for\n identification/authentication    SRCADDR       6.2%         34.0%        83.1%         100.0%     0.0%     0.0%     50.8%\n events\n Subject of event, action\n                                  VARDATA       29.9%        49.4%        100.0%          0.0%    100.0%    0.0%     51.5%\n taken\n Identity of user creating the\n                                  USERID        0.0%         8.4%             0.0%      100.0%    100.0%    0.0%     28.0%\n event\n Role of user, when creating\n                                  None          100.0%      100.0%        100.0%        100.0%    100.0%   100.0%   100.0%\n the event\n Success or failure of the\n                                  ERRORMSG      100.0%      100.0%            0.0%      100.0%     0.0%    100.0%    78.9%\n event\n                     Totals                     30.4%        43.6%        35.4%          75.0%    50.0%     25.0%    48.0%\nSource: TIGTA analysis of SAAS audit trail data for November 2005.\n\nAlthough we reviewed three SAAS audit trail files, the MODTRANS table is the primary audit\ntrail table in the SAAS. Table 2 presents the results of our assessment of the data integrity for\nthe MODTRANS table and displays only those records collected from that table. Currently, the\nMODTRANS table includes audit trail records of IRS employees; therefore, Table 2 lists only\nthose modernized systems accessed by IRS employees.\n     Table 2: Percentage of Unusable Required Entries in the MODTRANS Table\n\n             Audit Trail Requirement               Field Name           MeF         e-Services    IFS      Other     Totals\n\nDate and time of the event                        TIMESTAMP          0.0%             0.0%       0.0%      0.0%      0.0%\nThe unique identifier initiating an action        USERID             0.0%             0.0%       0.0%      0.0%      0.0%\nType of event                                     EVENTID            7.1%             41.3%      0.0%      0.0%      28.7%\nOrigin of the request for                                            6.3%             37.6%      83.1%     0.0%      50.9%\n                                                  SRCADDR\nidentification/authentication events\nSubject of event, action taken                    VARDATA            30.6%            44.7%      100.0%    0.0%      61.1%\nIdentity of user creating the event               USERID             0.0%             0.0%       0.0%      0.0%      0.0%\nRole of user, when creating the event             None               100.0%          100.0%      100.0%    100.0%   100.0%\nSuccess or failure of the event                   ERRORMSG           100.0%          100.0%      0.0%      100.0%    70.0%\n                                 Totals                              30.5%            40.5%      35.4%     25.0%     38.9%\nSource: TIGTA analysis of SAAS audit trail data for November 2005.\n\n\n\n                                                                                                                    Page 18\n\x0c                        Improvements Are Needed to Ensure the Use of Modernization\n                                    Applications Is Effectively Audited\n\n\n\nBecause audit trail records from the other two tables, TAXFIL and REGUSER, are also\nimportant, Table 3 displays percentages of unusable audit trail records collected from these two\ntables. Table 3 lists only those modernized systems accessed by tax filers and registered users.\n                     Table 3: Percentage of Unusable Required Entries in the\n                                  TAXFIL and REGUSER Tables\n              Audit Trail Requirement                  Field Name       MeF         e-Services   IRFOF    I-EIN     Totals\n Date and time of the event                           TIMESTAMP         0.0%          1.1%        0.0%    0.0%      0.6%\n The unique identifier initiating an action           USERID            0.0%          20.0%      100.0%   100.0%    57.5%\n Type of event                                        EVENTID           0.0%          57.3%      100.0%   0.0%      65.6%\n Origin of the request for                                              0.0%          29.2%      100.0%   0.0%      50.6%\n                                                      SRCADDR\n identification/authentication events\n Subject of event, action taken                       VARDATA           0.0%          55.9%       0.0%    100.0%    41.4%\n Identity of user creating the event                  USERID            0.0%          20.0%      100.0%   100.0%    57.5%\n Role of user, when creating the event                None             100.0%        100.0%      100.0%   100.0%   100.0%\n Success or failure of the event                      ERRORMSG         100.0%        100.0%      100.0%   0.0%      88.3%\n                                   Totals                              25.0%          47.9%      75.0%    50.0%     57.6%\nSource: TIGTA analysis of SAAS audit trail data for November 2005.\n\nDescriptive audit trail entries\nIn addition to the required entries, the SAAS audit trail can store descriptive information about a\ntransaction, which is useful in the search for UNAX violations. The SAAS audit trail record has\n15 places for these descriptive entries, which are listed in Table 4.\n  Table 4: MODTRANS Fields Providing Additional Details on User Transactions\n                                               Fields Detailing User Transactions\n                                DOLLARAMT                                              NAMECTRL\n                                TAXFILERTIN                                            MFTCODE\n                                  TAXPERIOD                                           FILESRCCD\n                              TAXFILFILESRC                                          CASESTATCD\n                              TAXFILERINTYPE                                         CAMPUSCODE\n                               REASONCODE                                           CAMPUSACCESS\n                               PLANNUMBER                                                 DLN\n                               OUTPUTCODE\n          Source: TIGTA analysis of SAAS audit trail data for November 2005.\n\nOf these 15 fields, only the following include any information:\n      \xe2\x80\xa2    DOLLARAMT: This field should include the dollar amount of a transaction. However,\n           this field contains no actual dollar amounts.\n\n\n                                                                                                                   Page 19\n\x0c                 Improvements Are Needed to Ensure the Use of Modernization\n                             Applications Is Effectively Audited\n\n\n\n    \xe2\x80\xa2   TAXFILERTIN: This field includes the Taxpayer Identification Number used in a\n        transaction.\nTable 5 lists the percentage of unusable TAXFILERTIN entries in the SAAS audit trail for those\nmodernized systems using the TAXFILERTIN field. Those systems not included in audit trail\nrecords of one or more SAAS tables are labeled as not applicable (N/A).\n  Table 5: Percentage of Unusable TAXFILERTIN Entries in the SAAS Audit Trail\n             SAAS Audit Trail Table    MeF      e-Services     IRFOF      I-EIN     SAAS Totals\n            MODTRANS                  100.0%       0.6%         N/A       N/A          1.5%\n            REGUSER                   100.0%       6.0%         N/A       N/A          6.0%\n            TAXFIL                     N/A         4.0%        2.0%       0.0%         2.0%\n            SAAS Totals               100.0%       8.3%        2.0%       0.0%         2.8%\n           Source: TIGTA analysis of SAAS audit trail data for November 2005.\n\nMissing audit trail entries\nOur analysis of SAAS audit trail records also identified thousands of missing audit trail records.\nEach SAAS audit trail record contains a unique, sequential identification number, which can be\nused to ensure all records are accounted for. We identified over 80,200 missing identification\nnumbers, indicating the records associated with these numbers may be missing or are not\nidentifiable from the SAAS. We identified over 3,400 corrupted audit records for which the\nidentification number was overwritten or not in its proper place. Therefore, approximately\n3,400 of the over 80,200 missing records may be in the SAAS but not identifiable due to the\nrecord corruption. However, there may be more missing records because not all audit trail\nrecords contained a unique identification number. Table 6 presents the applications for which\nthese identification numbers were unusable.\n                         Table 6: Percentage of Unusable Audit Trail\n                       Identification Numbers in the SAAS Audit Trail\n                                               Percentage of Unusable or Missing\n                Application\n                                               Audit Trail Identification Numbers\n               MeF                                           32.2%\n               e-Services                                    42.1%\n               IFS                                           0.0%\n               IRFOF                                         100.0%\n               I-EIN                                         0.0%\n               Other                                         0.0%\n               SAAS Total                                    43.0%\n              Source: TIGTA analysis of SAAS audit trail data for November 2005.\n\n\n\n                                                                                                  Page 20\n\x0c    Improvements Are Needed to Ensure the Use of Modernization\n                Applications Is Effectively Audited\n\n\n\n                                                   Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                         Page 21\n\x0cImprovements Are Needed to Ensure the Use of Modernization\n            Applications Is Effectively Audited\n\n\n\n\n                                                     Page 22\n\x0cImprovements Are Needed to Ensure the Use of Modernization\n            Applications Is Effectively Audited\n\n\n\n\n                                                     Page 23\n\x0cImprovements Are Needed to Ensure the Use of Modernization\n            Applications Is Effectively Audited\n\n\n\n\n                                                     Page 24\n\x0cImprovements Are Needed to Ensure the Use of Modernization\n            Applications Is Effectively Audited\n\n\n\n\n                                                     Page 25\n\x0cImprovements Are Needed to Ensure the Use of Modernization\n            Applications Is Effectively Audited\n\n\n\n\n                                                     Page 26\n\x0cImprovements Are Needed to Ensure the Use of Modernization\n            Applications Is Effectively Audited\n\n\n\n\n                                                     Page 27\n\x0cImprovements Are Needed to Ensure the Use of Modernization\n            Applications Is Effectively Audited\n\n\n\n\n                                                     Page 28\n\x0cImprovements Are Needed to Ensure the Use of Modernization\n            Applications Is Effectively Audited\n\n\n\n\n                                                     Page 29\n\x0c'